Conventionally, two basic strategies exist for scanning computer devices for compliance and risk information. The first method is referred to herein as client-based and the second method is referred to herein as client-less. Client-based scanning methods require that a client (i.e., a computer application) be installed on each target device (i.e., the device being scanned), with the client running as a process. Once the process runs the requisite checks, the client communicates with a networked central collection point to report the results of the scan. Client-less scanning methods are executed on a device other than the target device (for example, scanning is executed at a server) and perform their checks by either port scanning, querying of public network interfaces or, with the proper user credentials, querying the target device. Each of the two methods provide for distinct advantages and disadvantages.
From the client-based scanning advantages perspective, the scan operation runs when the target device is running, this insures that the scan will occur. In addition, once the target device is connected to the network, the results of the scan are communicated, insuring that scan results are properly recorded. Moreover, since the method uses local processing resources at the target level, the processing load is spread across all of the target devices, thus eliminating the need to incorporate large processing-intensive scanning devices a the server level. However, from the disadvantages perspective, client-based scanning is limited because if a target device does not have the client installed, the target device goes undetected. Additionally, in many instances, if the client is not running when the target device is in communication with the network, the target device goes undetected. Such occurrences are prone to occur, in light of the fact that such scanning clients can be identified and disabled by the user. In addition, client-based scanning systems do not perform network discovery of new computing devices, and therefore the systems are unaware of new devices or subnets requiring scanning. Moreover, over time, clients require periodical update/revision, in the client-based system such updating requires that client be capable of update and, if capable, that the target devices be connected to the network while the client is running in order for the update to occur.
Client-less scanning benefits in that network discovery can be readily performed to identify new computing devices not previously seen or scanned. In addition, client-less scanning does not require installation on the target device, and therefore issues related to improper installation or failure to install are averted. In the same regard, since client-less scanning does not require a running process on the target device, client-less scanning is less susceptible to being disabled by the target user. Additionally, since the scanning process is executed centrally, client-less scanning can be updated and revised centrally, insuring that all scans going forward implement the same revision of the application. However, client-less scanning also includes numerous disadvantages. For example, the target device must be connected to the network when the scan is being executed, or, if the target device is unconnected, it will go undetected. In addition, in many instances in which information retrieval is restricted to port scanning, the information that is retrieved may be limited in scope. Additionally, enterprise scanning may be suspended during “black-out” periods and any target device that connects to the network during that time period goes undetected. Moreover, such a client-less system requires large processor-intensive scanning devices to be distributed geographically across the network to accommodate the scanning process.
Therefore, a need exists to develop a computing device scanning process that combines the benefits of the client-based and client-less scanning procedures, while addressing the disadvantages of the client-based and client-less computing device scanning procedures. Specifically, the desired system should eliminate the need to install clients/applications on the target device, thereby eliminating the possibility of devices going undetected and target users disabling the client. The desired system should know when a target device is connected to the network and scan at the most opportune time. In addition, the desired system should not be limited to one means of retrieving information from target devices, but rather allow for multiple means of retrieval. Additionally, the desired system should be capable of network discovery to insure that newly added target devices are properly identified and scanned. Moreover, the desired system should detect devices that come online during a “black-out” period, when the enterprise-wide scanning is suspended, and to scan only the identified device to prevent enterprise-wide impact. Additionally, the desired system should provide identification of incomplete scanning of a target device, so as to insure that re-scanning occurs and identification of target devices that are high-risk due to previous scan results.